Security threats Toolkit

Windows patches may become automatic

Tags:
Auto Update,
Security,
Patch,
Microsoft

Matthew Broersma ZDNet.co.uk

Published: 21 Aug 2003 13:30 BST

Microsoft is considering changing the way that Windows updates security patches, making the update process automatic by default, following the latest round of security problems for Windows users.

A Microsoft spokeswoman said the company is "giving strong consideration to enabling Auto Update by default in future versions of Windows," though the company has not yet committed to a time frame. If Microsoft decides to go ahead with the change, it could be implemented in Longhorn, the code name for the next version of Windows, which is expected to be completed in late 2004.

Automatic installation of security patches might have helped prevent the recent MSBlast worm, which successfully attacked hundreds of thousands of PCs that had not installed a month-old patch.

Currently, automatic updates are available as an option. Microsoft executives said the company decided not to make the feature a Windows default with Windows XP following customer feedback that suggested users did not want Microsoft controlling their PCs.

Some security experts, even those normally suspicious of Microsoft, said automatic updates might be the best way to secure users' PCs -- particularly those of home users and small businesses. Bruce Schneier, co-founder of Counterpane Internet Security and a well-known Microsoft critic, came out in support of the suggestion, telling the Washington Post that it was a "trade-off that's worthwhile".

Analyst firm Gartner agrees, saying that the move could help average IT users, who generally lack the time and IT knowledge to keep up with the latest patches.

But Gartner suggests that Microsoft must make some changes to its updating system before it can be trusted to install software automatically on users' PCs. Gartner says Microsoft must promise not to use the auto-update feature for anything but security patches, and should allow a security review of the system by outside parties.

"A compromise of this comparatively new feature could have catastrophic results," Gartner's Terry Allan Hicks said in a statement.

Many users, particularly enterprise system administrators, like to evaluate patches before they are applied -- and with good reason, because patches can interfere with other software, or even cause system failures. In a well-known incident, Microsoft's Service Pack 6 for Windows NT crashed thousands of servers.

When the first Windows XP service patch appeared last autumn, critics said the patch's terms of use gave Microsoft the right to check product versions and block some programs, although Microsoft insisted that no personal information would be collected.

This is not the first time Microsoft has mooted the idea of changing its software update mechanism. In June the company said it planned to simplify its patch technology and to expand its automatic update service to include more products.

The software giant identified four areas where it plans to make improvements over the next 12 months: patch quality; delivering information to its customers; broadening the number of applications supported by its automated update technology; and simplifying the way that patches are applied.

CNET News.com's Robert Lemos contributed to this report.